If you use more than 64MB of memory, iOS autofill won’t work anymore. Bitwarden updated this information.

@teachmecyber

6 ай бұрын

Thanks for the info!

God bless your soul. Having had multiple email addresses for years and for different purposes it was a nightmare for me to figure out a way to keep track of all my passwords, so before, I used to have similar pws to use on all of them and that led all my accounts to get hacked earlier this year and it left me paranoid ever since. Now, I don't save any passwords anywhere and don't even trust the browsers with it, so coming across your Bitwarden videos was a true blessing and it gave me a much needed sense of cyber security. THANK YOU SO MUCH!

@teachmecyber

7 ай бұрын

Glad this was helpful for you!

Before Argon2id was available I had the iterations at 2 million. This took about 16 sec to decrypt on my Amazon Fire HD 10 Plus (2021). In May after I knew Bitwarden was updated across all my devices to support Argon2id. Late June I did my own digging on what these settings mean. I did not modify the settings as far as you showed. Default Argon2id was 4 sec to decrypt. After my changes to the iterations, it is about 10 sec to decrypt the vault. Thanks for describing these settings.

@teachmecyber

9 ай бұрын

Nice! You were well ahead of the game before argon2id became available. The order of operations for increasing values would be memory and then iterations. Those are the two most important ones (and the ones that impact the amount of time to decrypt). If you haven't seen this, check it out for more testing. It was super helpful for me: antelle.net/argon2-browser/

@susanway2023

9 ай бұрын

@@teachmecyber Jason, I have Agron2id with 6,128,8 Thoughts on that, strong enough? And is that stronger and harder to crack Vs PBDK..... 600000?

Very good Video. Never heard of that Argon2id settings. Thanks

@teachmecyber

4 ай бұрын

Thanks, appreciate the feedback!

Excellent explanation 🙏🏼💎

@teachmecyber

Ай бұрын

Glad it was helpful!

Thank you Jason, I really love your videos, very educational. As a result of your videos, I went to Bitwarden from Keepass. And may I ask your thoughts on Proton Pass? Worth looking into?

@teachmecyber

9 ай бұрын

Glad to hear that! I haven't done a full deep dive yet on Proton Pass. I typically favor companies who focus on the password manager as their primary business. So things like 1password, Bitwarden, and Dashlane.

You can (and should) change all your passwords stored in lastpass (then switch to something like bitwarden), but sadly, any notes will still be there for the hackers. Eventually, it WILL be cheap to crack all of the stolen collections, and your notes are theirs

@teachmecyber

7 ай бұрын

+1 for changing your passwords in lastpass. Even with the notes, it will be good to go through those notes and make sure there isn't anything sensitive that needs to be changed (e.g. like security questions and things of that nature).

@mike80808

4 ай бұрын

Changing the notes won't matter. The copies of the vaults that were stolen have the notes from when they were stolen last summer (2022).

Good content 👍

@teachmecyber

9 ай бұрын

Thanks! Hope it was helpful in securing your passwords!

I never heard before Argon2id, thanks.

@teachmecyber

9 ай бұрын

You got it!

Thank You, Thank You, Thank You!!!

@teachmecyber

27 күн бұрын

Thanks for watching!

Good advice. But I think with a lot of iterations with PBKDF2 there is also a delay there. Your explanation sounded like the delay would be new with Argon2id...

@teachmecyber

8 ай бұрын

That's correct, with more iterations on PBKDF2 there will also be a delay.

Explain more on bitwarden.... i am using it since 2 years and i was unaware of this... please make some detail in-depth exploration video on bitwarden

@teachmecyber

8 ай бұрын

Thanks for the feedback! If I get some more requests on this, I'll make a more in depth video on how it all works behind the hood.

My Bitwarden password is 44 characters long, and my PBKDF2 iteration count is 1 million. I set this up before Argon was available. Unlocking my vault on my cheap Onn tablet takes a few seconds or so, so I figure I have hit the sweet spot for now. I'll consider Argon in the future, though.

@teachmecyber

6 ай бұрын

You've got a great set up with that combination. Argon will have some more security control against certain types of attacks, but they're not a huge concern for the majority of people.

It doesnt matter what the algorithm is. For example lets say you have a really weak password of 1234, then the hash for 1234 will still be whatever that hash is. So entering 1234 will still unlock your vault regardless of what hashing algorithm is being used on the backend. The point is to use a strong passphrase.

@teachmecyber

5 ай бұрын

A strong master password is the first and most important step. The algorithm just adds a layer of security in the event someone does try to brute force it. It's added protection against a lastpass type scenario.

@1080pixel

4 ай бұрын

Hashing isn't the only thing beeing applied... salts and multiple iterations will harden even a simple password like 1234 - of course, it wouldn't widstand a brute-force attempt.

@seanmcmurphy4744

2 ай бұрын

@@1080pixelThe point is a password like 1234 is going to be on every common password list and is going to be one of the first tried in a brute force attack

@1080pixel

2 ай бұрын

@@seanmcmurphy4744 Do you know what salting does?

Please don’t say uncrackable, nothing is uncrackable. Even when it takes Mathematically 200 Mio years to guess a Password there are always ways to shorten this time. Especially when you take algorithms like AES or hashing Algorithms like Sha256 or Argon2 there is always the possibility that there is a security flaw in the algorithm itself. A truly uncrackable algorithm would be the onetime pad but everything which is mathematically calculated can be cracked especially with quantum technology.

@teachmecyber

9 ай бұрын

Yes, everything is going to be crackable with limitless time or the advancement of quantum computing. But for 99.9% of people, this setup will keep their vaults in a position that won't be crackable given their risk profile.

@maxmustermann9858

9 ай бұрын

@@teachmecyber Yes that’s true, I’m cyber security you only need to run faster then your friends to not get chased. But I think it’s wrong to say that anything is uncrackable. I understand what you mean but for someone who doesn’t know a lot or anything of that, it implements that it’s really uncrackable. When you explain it like you now did it would bring the people more to the reality without underestimating the risk. But anything else is great. It would be great to see videos for advanced or more tech savvy people in the future. Keep going!

@teachmecyber

9 ай бұрын

Any advanced topics in particular you'd like to see?

@maxmustermann9858

9 ай бұрын

@@teachmecyber Maybe something like how to handle a digital will in a secure way (government proof) that I would still consider basic, but some IOT stuff with things like MDNS and Firewall. Or things like Ransomeware protection. All your videos are fine but what I’ve missing is that you go really deep and explain the details. It’s not a must and can be boring or not necessary for the average viewer, it would be just some input you can maybe use for orientation.

@teachmecyber

9 ай бұрын

Thanks for the feedback!

Great stuff man, thanks for the tip. So yeah, I been dealing with hacking for a minute. Would love to know if I could be hacked while a page is loading? I use the "copy and paste" method when inputting my username and password, which might not be the safest. So when I go back to the page I'm try to login to, could those hackers switch pages on me and have me logging in a phishing site?

@teachmecyber

4 ай бұрын

The biggest risk with copying / pasting is that you could be putting it into a phishing page. With autofill or passkeys, it will detect the URL and only put the password (or passkey) in if it recognizes the URL.

@rodneyhigginson323

4 ай бұрын

@@teachmecyber thanks man, just what I'd figured.

Would the next best option be a Yubikey?

thanks

@teachmecyber

2 ай бұрын

Thanks for watching!

if you use more security and if it takes long, I assume that you use the remember session? Or everytime you login to something you go, put your password, 2fa code, and wait for bitwarden to open?

@teachmecyber

7 ай бұрын

This depends on the site. I prefer to login each time if the site doesn't have any additional security protections. E.g. some mail clients like Google will force a more secure login if the device is not recognized. The main risk is that if you're not using a secure MFA method like passkeys or FIDO2 hardware, you could get phished. This could steal your session token which would give the attacker access to your account. Check out my video on 2FA for more info on that style of attack.

@americanswan

2 ай бұрын

​@teachmecyber Good point about session keys. I have Yubikeys set for all my major accounts.

Jason, what does it mean exactly to rotate my accounts encryption keys and do you support doing that?

@teachmecyber

9 ай бұрын

The encryption key is used to encrypt the vault. So if you change your master password it doesn't change the encryption key. Typically you only rotate your encryption key if you have reason to suspect it has been compromised. For most users, they won't need to rotate their encryption key.

@susanway2023

9 ай бұрын

@@teachmecyber Gotcha, thanks :)

Hello, can you please measure the time difference between argon2id, and the default one? Also, do you think my low-end Android could handle it?

@teachmecyber

8 ай бұрын

Here's a website you can use to test the different timings. You can also run this from your Android to test the difference and tune it to something that works best for you. antelle.net/argon2-browser/

@the-Gammaron

8 ай бұрын

@@teachmecyber is argon2id and argon2di the same?

@teachmecyber

8 ай бұрын

Yep, same thing!

Jason, so is my understanding correct...so whenever we create a database, our password is NEVER sent to Bitwarden, but the HASH, and if that is the case, how can Bitwarden verify our password is correct when opening the database if all they have is a copy of a "HASH" and not the Password? Thank you kindly :)

@teachmecyber

9 ай бұрын

The only way to calculate the right hash is to have the right master password! It's a nice way to ensure that someone has the right password without needing the actual password.

I love the tinfoil hat cats with the sound & all the little video game things you put in your videos. This is boring stuff but youre the 7th grade teacher I wish I had!

What do you think about using YubiKey 5C with Bitwarden?

@teachmecyber

Ай бұрын

It's the most secure option!

@user-ri4ev3gd1s

Ай бұрын

That’s great! I JUST set mine up with one, along with your recommendation from this video, Argon2id. Thanks for all the info!!!!

After setting it up as suggested the first time(Argon2id, 500 MB, KDF 6 and 8), I was able to log back into the web safe without any problems, but the mobile keeps giving me errors: "username or password is incorrect. Try again." Does this mean that this setup is too strong for my mobile? I tried lower values, but that didn't work either, so I had to reset it to PBKDF2 SHA-256 and 600.000 KDF to be able to log in on my mobile.

@teachmecyber

8 ай бұрын

No, it would just go super slow on mobile but wouldn't throw this type of error. Double check your master password you're typing in

@gablen23

8 ай бұрын

@@teachmecyber Well, I figured out what the problem was, wrote to support, they replied very quickly, and it turned out that the region setting was wrong because I had chosen EU instead of US. As they wrote, it doesn't depend on the physical location, but where it was initially established. Very useful video by the way, thank you!

@teachmecyber

8 ай бұрын

Ahh okay, that's makes sense. It's likely because they're not storing the vaults in both regions, so you need to make sure you're connecting to the right one. Thanks for letting me know!

Imagine entering a really long master password/phrase on a mobile device when you install bitwarden or when it times out. It is a pain specially with various virtual keyboard behaviors.

@teachmecyber

5 ай бұрын

You can configure it to use your fingerprint and not prompt for the password

When backing up the Bitwarden vault, where is the safest place to store a .json file after exporting the vault?

@teachmecyber

Ай бұрын

If you're doing it as a backup, you can store it on an encrypted USB drive.

@chefmike8888

7 күн бұрын

I trade with family members. 3 members have mine incase my sister lost mine, like usual. But i placed it on her computer where she doesn’t go. The external drive i get called over to update when she needs to. Im the family it guy so they don’t know that we all have the important backup files in the classic 3 place rule.

I tried the 2nd method of Argon2id ( 500mb one) and on my pc its slower than mobile , but still fine about ( 7 sec on mobile and about 12 on pc )

@teachmecyber

2 ай бұрын

Wow, I would not have expected that!

@Hawk_112

2 ай бұрын

@@teachmecyber yeah kinda weird lol , btw I have 6th gen i7 and 16gb ram on pc and my mobile got qualcomm 732G with 6gb ram so that desktop cpu should be alot better in term of power 😅

Can the same be done with my RoboForm??

@teachmecyber

2 ай бұрын

You're likely okay!

2:05 that chart doesn't show special characters/symbols. If it had that in the chart the "strong" section wouldn't be measured in "centuries" but millions/Billions of years. At least with conventional computing power.

@teachmecyber

8 ай бұрын

I think you'll appreciate this: specopssoft.com/blog/best-password-practices-to-defend-against-modern-cracking-attacks/ Not the most direct comparison as it focuses on cracking MD5 hashes for passwords, but it shows the addition of special characters and how that can support the strength of your passwords.

Why would further encyrpting your master password matter? Wouldn't it be easier for the hacker to simply try to brute force your password either way? So why does it make any real difference whether you use SHA-256 or the Argon2id?

@teachmecyber

3 ай бұрын

Argon2id slows down the bruteforcing process. It basically just takes longer for it to calculate whether the password is right or not, which slows down the attacker's ability to guess passwords. It's helpful in the LastPass scenario where attacks stole the vault.

@williamschlass6371

3 ай бұрын

@@teachmecyberI see, thank you for the clarification!

@ScottElblein

16 күн бұрын

@@teachmecyber So then really the entire purpose of this is specifically to add in that login delay time?

I dont think the bottleneck is the encryption at this point. If your password is indeed 16+ chars with some punctuation people are not going to try and crack it. If they really wanted access they would do so by other means, like phishing or social engineering. Uncrackable sure, but impossible to get unauthorized access, no.

@teachmecyber

9 ай бұрын

100% agree with you. That's why the use of a strong master password and MFA will help secure your account. These settings are useful in dealing with a LastPass scenario where the vault is stolen.

@rajmerchant3178

7 ай бұрын

😊

@rajmerchant3178

7 ай бұрын

😊😊😊

@notreallyme425

7 ай бұрын

How does someone trying to crack your password know how many characters long your password is and if you’re using punctuation?

@teachmecyber

6 ай бұрын

They won't know how long or complicated your password is. The weaker the password though, the easier it will be for them to have a match. They typically will start with less complex passwords because it's quicker to check.

How much is ok to put for KDF?

@teachmecyber

2 ай бұрын

The current minimum recommended amount is 600,000. I would go higher if your devices support it.

What does "make sure it's not sitting in your system" mean in the context of the masterword? It's annoying and frustrating when you assume your audience knows what specific you are referring to like the clipboard or some other place. I don't want the back forth questioning to understand your words. I should get it from the video.

@teachmecyber

7 ай бұрын

That was in reference to the password export when you are migrating to bitwarden. You don't want to have the password export sitting on your computer because someone can get your passwords in cleartext in that file.

6:12 LOL Paschword Hasching Competischion

@teachmecyber

9 ай бұрын

They have competitions for everything!

Uhh me migrate from lastpass to bitwarden with csv file ugg sexure +62 mana paham Indonesia 🤣🤣

@teachmecyber

4 ай бұрын

Did you run into issues?

Algorithm.

@teachmecyber

6 ай бұрын

👍